Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using Null Session information from NAT.EXE

From: Tom Fischer <Tom.Fischer () rus uni-stuttgart de>
Date: Thu, 1 Nov 2001 01:42:23 +0100
Hi,

On Wed, Oct 31, 2001 at 10:07:10AM +0000, Ian Lyte wrote:

[...]
The big question is, for me anyway, since NAT.EXE has succesfully found the 
Admin password it is obviously managing to connect to the other box somehow 
and get authenticated. How is it that NAT can and I can't? Is this due to 
NAT using its own modified SMBCLIENT and if so where can I get a copy of the 
SMBCLIENT only?

what's about the different LAN Manager authentication level? Nat.exe
use the cygwin.dll (http://www.cygwin.com/) and not the Windows own LAN 
Manager authentication. 
So have a look at the authentication level:

Windows NT (Q147706):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilityLevel
(REG_DWORD)
Level 0 - Send LM response and NTLM response; never use NTLMv2 session
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
... (default 0)

Windows 2000 (see GroupPolicy: LAN Manager Authentication Level)

Alternatively use a linux box and smbclient ... or cygwin or ...

ciao, Tom
-- 
Tom Fischer                              Tom.Fischer () rus uni-stuttgart de
RUS-CERT University of Stuttgart       Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: